Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
tree: 8c8ec7d516
Fetching contributors…

Cannot retrieve contributors at this time

248 lines (185 sloc) 17.77 kB

2.0.3

  • Fixed error where default session class does not exist.

  • Fixed human_name for the model to use its own human name and not delegate to the associated model. Translation should be under authlogic.models.user_session (or whatever the name of your session is).

  • Fixed human_attribute_name to use Authlogic keys for translation instead of ActiveRecord: authlogic.attributes.user_session.login.

2.0.2 released 2009-3-24

  • Reset failed_login_count if consecutive_failed_logins_limit has been exceed and the failed_login_ban_for has passed.

  • Update test helpers to use the new configuration scheme.

  • Fixed issue when logging doesn't update last_request_at, so the next persistence try would fail.

2.0.1 released 2009-3-23

  • Validate length of password.

  • Dont save sessions with a ! during session maintenance.

  • Add self_and_descendants_from_active_record for Rails 2.3

  • Abort acts_as_authentic if there is no DB connection or table.

2.0.0 released 2009-3-23

  • Refactored nearly all code and tests, especially acts_as_authentic. Got rid of the meta programming and rewrote to use modules and hooks. Also moved all configuration into their related modules.

  • Set up a strong API with hooks to allow you to modify behavior and most importantly, easily create “add on” modules or alternate authentication methods, etc.

  • Changed configuration method for acts_as_authentic to accept a block instead of a hash.

  • The record attribute will NEVER be set until after validation passes, similar to how ActiveRecord executes UPDATEs and CREATEs.

  • Fixed bug with session maintenance where user would log in as new user when creating another user account, typically an admin function.

  • Brute force protection is only a temporary ban by default, not a permanent one.

  • Switched to Hoe for gem management instead of Echoe.

  • Added MD5 crypto provider for legacy systems.

  • Make password salt field optional for legacy systems.

1.4.4 released 2009-3-2

  • Moved session maintenance to a before_save, to save on queries executed and to skip an unexpected / additional save on the user object.

  • Extracted random string generation into its own class and leverages SecureRandom if it is available

  • Move cookies to a higher priority when trying to find the record to help with performance since Rails 3 lazily loads the sessions

  • Reset perishable token in a before_save instead of a before_validation

1.4.3 released 2009-2-22

  • Fixed issue with brute force protection.

1.4.2 released 2009-2-20

  • Cleaned up callbacks system to use hooks and execute in the proper order.

  • Added brute force protection. See the consecutive_failed_logins_limit configuration option in Authlogic::Session::Config. Also see Authlogic::Session:BruteForceProtection

  • Fixed issue with calling stale? when there is no record.

  • Simon Harris fixed the issue of using lock_version with the associated record and also optimized the library for better performance.

  • Implemented saving the record during the callback chain to execute as few queries as possible. This way modules can hook into Authlogic, modify the associated record, and not have to worry about saving the record.

1.4.1 released 2009-2-8

  • Fixed I18n key misspelling.

  • Added I18n keys for ORM error messages.

  • Use the password_field configuration value for the alias_methods defined in acts_as_authentic/credentials.rb

  • Change shoulda macros implementation to follow the shoulda documentation

  • Rails >2.3 uses :domain for the session option instead of :session_domain. Authlogic now uses the proper key in the rails adapter.

  • Added validate_password attribute to force password validation regardless if the password is blank. This is useful for forms explicitly changing passwords.

  • The class level find method will return a session object if the session is stale. The protection is that there will be no record associated with that session. This allows you to receive an object and call the stale? method on it to determine why the user must log back in.

  • Added validate callbacks in Session::Base so you can run callbacks by calling validate :my_method, just like in AR.

  • Checked for blank persistence tokens when trying to validate passwords, this is where transitioning occurs. People transitioning from older systems never had a persistence token, which means it would be nil here.

  • Update allowed domain name extensions for email

  • Ignore default length options for validations if alternate length options are provided, since AR raises an error if 2 different length specifications are provided.

1.4.0 released 2009-1-28

  • Added support for cookie domain, based on your frameworks session domain configuration

  • Updated test helper functions to use the persistence token config value

  • Check for UTC times when using Time.now for current_login_at and last_request_at

  • Single access now looks for a single_access_allowed? method in your controllers to determine if single access should be allowed or not. Allowing you to define exactly when single access is allowed.

  • Finding the authenticated record uses klass.primary_key instead of assuming id.

  • BREAKS BACKWARDS COMPATIBILITY: New I18n solution implemented. See Authlogic::I18n for more information.

1.3.9 released 2009-1-9

  • Added the disable_perishable_token_maintenance option to disable the automatic resetting of the perishable_token, meaning you will have to maintain this yourself.

  • Changed shoulda macro to conform to standards so model is not required to be passed

  • Modified method definitions for the Session class to check for already defined methods, allowing you to write your own “credential” methods, and Authlogic will not overwrite your custom methods.

  • Fixed bug when passing :all to single_access_allowed_request_types

  • Added logout_on_timeout configuration option for Session::Base

1.3.8 released 2008-12-24

  • Only change persistence token if the password is not blank

  • Normalize the last_request_at_threshold so that you can pass an integer or a date/time range.

  • Fixed bug where password length validations were not being run because the password value was not blank. It should be run if it is a new record, the password has changed, or the password is blank.

  • Added disable_magic_states option for sessions, to turn off the automatic checking of “magic states” such as active?, confirmed?, and approved?.

1.3.7 released 2008-11-30

  • Added session generator: script/generate session UserSession

  • Added Test::Unit helpers file, see testing in the README

1.3.6 released 2008-11-30

  • Modified validates_length_of for password so that there is a fallback validation if the passed “if statement” fails

1.3.5 released 2008-11-30

  • :transition_from_crypto_provider for acts_as_authentic now accepts an array to transition from multiple providers. Which solves the problem of a double transition.

  • Added AES256 as a crypto_provider option, for those that want to use a reversible encryption method by supplying a key.

  • Fixed typo for using validates_format_of_options instead of validates_length_of_options

  • Fixed bug when accessing the dynamic method for accessing the session record in a namespace, since it uses class_name.underscore which replaces

    with a /

  • Added minimum length requirement of 4 for the password, and removed validates_presence_of for password since validates_length_of enforces this

  • Set before_validation to reset the persistence token if it is blank, since a password is not required for open id authentication

1.3.4 released 2008-11-24

  • Delegate human_attribute_name to the ActiveRecord class to take advantage of the I18n feature.

  • Fixed issue with passwords from older versions of restful_authentication, the passwords end with –

1.3.3 released 2008-11-23

  • Updated :act_like_restful_authentication for those using the older version where no site wide key is preset (REST_AUTH_SITE_KEY), Authlogic will adjust automatically based on the presence of this constant.

  • Added :transition_from_crypto_provider option for acts_as_authentic to transition your user's passwords to a new algorithm.

  • Added :transition_from_restful_authentication for acts_as_authentic to transition your users from restful_authentication to the Authlogic password system. Now you can choose to keep your passwords the same by using :act_like_restful_authentication, which will NOT do any transitioning, or you can use :transition_from_crypto_provider which will update your users passwords as they login or new accounts are created, while still allowing users with the old password system to log in.

  • Modified the “interface” for the crypto providers to only provide a class level encrypt and matches? method, instead of a class level encrypt and decrypt method.

1.3.2 released 2008-11-22

  • Updated code to work better with BCrypt, using root level class now.

1.3.1 released 2008-11-22

  • Fixed typo in acts_as_authentic config when passing the :scope option.

  • Added :act_like_restful_authentication option for acts_as_authentic

  • Added a new crypto provider: BCrypt, this is for those storing the nuclear launch codes in their apps

1.3.0 released 2008-11-21

  • BREAKS BACKWARDS COMPATIBILITY: changed the confirm_password field to password_confirmation for acts_as_authentic, since the rails validates_confirmation_of handles creating this attribute and there is no option to change the name of this.

  • BREAKS BACKWARDS COMPATIBILITY: Cleaned up all of the validation configuration for acts_as_authentic, as well as the documentation that goes with it, you can accomplish the same things as before, but this is much more flexible and much more organized. This is mainly for those implementing i18n support. Instead of :whatever_message, its now :login_field_validates_length_of_options => {:message => “your i18n friendly message”}. As a side note, with the new i18n support in rails I would not be surprised if this is already done for you since Authlogic uses the ActiveRecord validation methods.

  • Got rid of simple delegator for the abstract controller, apparently this has performance issues.

  • Cleaned up validations to assume ActiveRecord dirty attributes are present, I think this is a safe assumption.

1.2.2 released 2008-11-20

  • Added allow_blank_login_and_password_field and allow_blank_email_field options to acts_as_authentic, which allows you to have alternative logins, such as OpenID

  • In the session Authlogic now also stores the record id. We use this id to find the record and then check the token against the record, thus allowing for quicker database lookups, while getting the same security.

  • Skip validation for reset_perishable_token!

  • Added checks for uniqueness validations to only perform if the values have changed, this cuts down on DB queries

  • Abstract controller adapter now uses ruby's simple delegator class

  • Allow to save with a block: user_session.save { |result| }, result will either be false or self, this is useful when implementing OpenID and other methods

1.2.1 released 2008-11-19

  • Added build method to authenticates_many association to act like AR association collections.

  • Added validation boolean configuration options for acts_as_authentic: validate_field, validate_login_field, validate_password_field, validate_email_field. This turns on and off validations for their respective fields.

  • Renamed all password_reset_token terms to perishable_token, including configuration, etc. I still allow for the old configurations so this will not break compatibility, but perishable token is a better name and can be used for account confirmation as well as a password reset token, or anything else you want.

  • Renamed all remember_token instances to persistence_token, the term “remember token” doesn't really make sense. I still allow for the old configuration, so this will not break backwards compatibility: persistence_token fits better and makes more sense.

1.2.0 released 2008-11-16

  • Added check for database set up in acts_as_authentic to prevent errors during migrations.

  • Forced logged_in and logged_out named scopes to use seconds.

  • Hardened valid_password? method to only allow raw passwords.

  • controllers and scopes are no longer stored in class variables but in the Thread.current hash so their instances die out with the thread, which frees up memory.

  • Removed single_access_token_field and remember_token_field from Sesson::Config, they are not needed there.

  • Added password_reset_token to assist in resetting passwords.

  • Added email_field, email_field_regex, email_field_regex_failed_message configuration options to acts_as_authentic. So that you can validate emails as well as a login, instead of the either-or approach.

  • Added configuration for all validation messages for the session so that you can modify them and provide I18n support.

1.1.1 released 2008-11-13

  • Removed ActiveRecord dependency.

  • Removed loading shoulda macros by default, moved to shoulda_macros dir.

  • Modified how params access works. Added in single_access_token_field which params now uses. See the single access section in the README. Various configuration options added as well.

  • Cleaned up acts_as_authentic configuration, added new config module to do this.

  • Cleaned up acts_as_authentic tests

  • Moved acts_as_authentic sub modules into the proper name spaces

1.1.0 released 2008-11-13

  • Moved Rack standards into abstract_adapter for the controllers.

  • Added authenticating_with_credentials?, authenticating_with_unauthorized_record?

  • Fixed typo in abstract_adapter, black to block.

  • Cleaned up / reorganized tests.

  • Moved ActiveRecord additions to ORM Adapters name space to make way for Data Mapper.

  • Reorganized and modified acts_as_authentic to be free standing and not get info from the related session.

  • The session now gets its configuration from the model, since determining which fields are present is ORM specific.

  • Extracted session and cookie logic into their own modules for Session.

  • Moved crypto providers into their own module and added a Sha1 provider to help with the restful_authentication transition.

  • Allow the unique_token method to use the alternate crypto_provider if it is a hash algorithm, otherwise default to Sha512.

  • Added last_request_at_threshold configuration option.

  • Changed Scoped class to AuthenticatesManyAssociation, like AR has HasManyAssociation, etc.

  • Added should_be_authentic shoulda macro.

  • Removed some magic from how sessions are initialized. See the initialize documentation, this method is a little more structured now, which was required for adding in openid.

  • Added in logging via a params token, which is friendly for feed URLs. Works just like cookies and sessions when persisting the session.

  • Added the option to use session.user, instead of session.record. This is based off of what model your session is authenticating with.

1.0.0 released 2008-11-05

  • Checked for blank login counts, if a default wasnt set in the migrations.

  • Added check for database table in acts_as_authentic to avoid errors in initial setup.

  • Completely rewrote tests to be more conventional and thorough tests, removed test_app.

  • Modified how validations work so that a validate method was added as well as callbacks for that method.

  • Extracted scope support into its own module to help organize code better.

  • Added in salt for encryption, just like hashes and removed :crypto_provider_type option for acts_as_authentic.

  • Added merb adapters.

  • Improved documentation throughout.

0.10.4 released 2008-10-31

  • Changed configuration to use inheritable attributes

  • Cleaned up requires to be in their proper files

  • Added in scope support.

0.10.3 released 2008-10-31

  • Instead of raising an error when extra fields are passed in credentials=, just ignore them.

  • Added remember_me config option to set the default value.

  • Only call credential methods if an argument was passed.

  • More unit tests

  • Hardened automatic session updating. Also automatically log the user in if they change their password when logged out.

0.10.2 released 2008-10-24

  • Added in stretches to the default Sha512 encryption algorithm.

  • Use column_names instead of columns when determining if a column is present.

  • Improved validation callbacks. after_validation should only be run if valid? = true. Also clear errors before the “before_validation” callback.

0.10.1 released 2008-10-24

  • Sessions now store the “remember token” instead of the id. This is much safer and guarantees all “sessions” that are logged in are logged in with a valid password. This way stale sessions can't be persisted.

  • Bumped security to Sha512 from Sha256.

  • Remove attr_protected call in acts_as_authentic

  • protected_password should use pasword_field configuration value

  • changed magic state “inactive” to “active”

0.10.0 released 2008-10-24

  • Do not allow instantiation if the session has not been activated with a controller object. Just like ActiveRecord won't let you do anything without a DB connection.

  • Abstracted controller implementation to allow for rails, merb, etc adapters. So this is not confined to the rails framework.

  • Removed create and update methods and added save, like ActiveRecord.

  • after_validation should be able to change the result if it adds errors on callbacks.

  • Completed tests.

0.9.1 released 2008-10-24

  • Changed scope to id. Makes more sense to call it an id and fits better with the ActiveRecord model.

  • Removed saving_from_session flag, apparently it is not needed.

  • Fixed updating sessions to make more sense and be stricter.

  • change last_click_at to last_request_at

  • Only run “after” callbacks if the result is successful.

0.9.0 released 2008-10-24

  • Initial release.

Jump to Line
Something went wrong with that request. Please try again.